b'\x0cChairman Harkin, Ranking Member Enzi, and Members of the Committee:\nThank you for inviting me here today to discuss the Pension Benefit Guaranty Corporation\xe2\x80\x99s\n(PBGC) oversight and management of its Single and Multiemployer Pension Insurance\nprograms. PBGC protects the pensions of approximately 44 million workers and retirees in more\nthan 27,500 private defined benefit pension plans. Under Title IV of the Employee Retirement\nIncome Security Act of 1974, PBGC insures, subject to statutory limits, pension benefits of\nparticipants in covered private defined benefit pension plans. To accomplish its mission, PBGC\nrelies extensively on the use of contractors and on information technology. Internal controls\nover these operations are essential to ensure the confidentiality, integrity, and availability of\ncritical data while reducing the risk of errors, fraud, and other illegal acts.\n\nIN SUMMARY\n\nMy testimony today is essentially \xe2\x80\x9cgood news\xe2\x80\x9d testimony. In some areas, focused attention by\nPBGC leadership has already resulted in effective corrective action; for example, during the past\nyear, PBGC implemented OIG\xe2\x80\x99s specific recommendations to enhance privacy processes and\nalso made additional improvements with the stated goal of making PBGC a model for handling\nsensitive information. In other areas, much remains to be done and full implementation of\ncorrective action may take years. Sustained management attention and oversight will be needed\nif PBGC is to fully implement its current plans to improve the effectiveness and integrity of its\ncontracting practices. While PBGC has developed corrective action plans to address serious\nweaknesses in information technology security, execution of the plans is scheduled to take\nbetween three and five years and many critical details of the plans have yet to be developed.\nDuring the interim, careful review by those with oversight responsibility for PBGC will be\nneeded to ensure that corrective action plans stay on track to completion.\n\nBACKGROUND\n PBGC receives no funds from general tax revenues; instead PBGC is financed by insurance\npremiums paid by companies that sponsor defined benefit pension plans, investment income, and\nassets from terminated plans. PBGC has been in a deficit position (where current and future\ncommitments to participants exceed resources) for a number of years. Inadequate minimum\ncontributions, inadequate insurance premiums, employer shift from defined benefit pension plans\nto defined contribution pension plans, and insufficient funding of terminated plans are factors\ncontributing to the deficit. Between the end of fiscal years (FY) 2008 and 2009, the deficit in\nPBGC\xe2\x80\x99s single-employer insurance program doubled in size from $10.7 billion to $21.1 billion.\nIn FY 2010, the single-employer program\xe2\x80\x99s net position declined by $.52 billion, increasing the\nprogram\xe2\x80\x99s deficit to $21.59 billion.\nPBGC currently pays monthly retirement benefits to over 800,000 retirees in 4,150 plans.\nIncluding those who have not yet retired and participants in multiemployer plans receiving\nfinancial assistance, PBGC is responsible for the current and future pensions of more than 1.4\nmillion people.\n\n\n\n\n                                                                                                 1\n\x0cTHE PBGC OFFICE OF INSPECTOR GENERAL\nThe PBGC Office of Inspector General provides an independent and objective voice that helps\nthe Congress, the Board of Directors, and PBGC protect the pension benefits of American\nworkers. Like all federal Offices of Inspector General, the PBGC Office of Inspector General is\ncharged with providing leadership and recommending policies and activities designed to prevent\nand detect fraud, waste, abuse, and mismanagement; conducting and supervising independent\naudits and investigations; and recommending policies to promote sound economy, efficiency,\nand effectiveness. As Inspector General, I report directly to the PBGC Board of Directors,\nthrough the PBGC Board Chair; this reporting relationship has supported OIG\xe2\x80\x99s ability to audit\nand investigate the aspects of PBGC operations that pose the highest risks for fraud, waste,\nabuse, and mismanagement.\nDuring the past two years, my office has conducted numerous independent audits and\ninvestigations pertaining to agency programs and operations, resulting in significant\nimprovements and changes that ultimately serve to protect America\xe2\x80\x99s pensions. Many of the\nreports have been quite critical of PBGC, in some instances placing significant stress on the\nrelationship between the Office of Inspector General and the Corporation. Nevertheless, the\nPBGC Board of Directors and PBGC have responded appropriately and professionally to\nimplement many of the improvements recommended by the Office of Inspector General.\nOur ongoing audit work addresses some of the most critical issues facing PBGC. We are in the\nprocess of applying for law enforcement authority and have begun the process of enhancing the\nnature and sophistication of the investigations we conduct. Recent cases accepted by United\nStates Attorney\xe2\x80\x99s Offices include significant issues such as complex multiemployer pension plan\nfraud. We are performing some of our investigations in concert with other agencies, including\nthe Department of Labor OIG Office of Labor Racketeering and Fraud, and other federal, state,\nand local law enforcement agencies.\n\nOver the last 5 years, we have issued 47 reports addressing PBGC\xe2\x80\x99s oversight of its programs\nand made 348 recommendations for improvement or recovery of questioned costs. Although\nPBGC has responded positively to many of our recommendations, 176 recommendations,\ncontained in 40 different reports, remain open as of today.\n\nTHE STATUS OF PBGC ACTIONS TO IMPLEMENT OIG RECOMMENDATIONS\n\nThe following are examples of some of PBGC\xe2\x80\x99s recent accomplishments in responding to OIG\nrecommendations, as well as areas where additional oversight and management attention are\nneeded.\n\n\nPBGC took action to protect sensitive and personally identifiable information.\nLast spring my office reported concerns with PBGC\xe2\x80\x99s privacy program. By law, PBGC has an\naffirmative responsibility to protect the confidentiality, integrity, and availability of personally\nidentifiable information. PBGC\xe2\x80\x99s mission requires the collection, storage and transmittal of a\ngreat deal of personally identifiable information, such as the names, social security numbers,\nand earning histories of workers in trusteed plans. In March 2010, we reported that PBGC\xe2\x80\x99s\n\n                                                                                                       2\n\x0cPrivacy Office did not properly monitor its privacy processes for quality and compliance.\nFurther, PBGC\xe2\x80\x99s process for reporting personally identifiable information events was inaccurate\nand unverifiable. Technical controls (e.g., encryption of laptop computers) required\nstrengthening.\nTo its credit, the Corporation took immediate measures to begin addressing reported concerns.\nSome actions directly addressed OIG\xe2\x80\x99s recommendations; for example, specific guidance and\nprocedures were developed for privacy staff to follow in reporting to the United States Computer\nEmergency Readiness Team (US-CERT) security incidents involving the disclosure of\npersonally identifiable information. PBGC\xe2\x80\x99s actions went well beyond the specific\nrecommendations included in OIG\xe2\x80\x99s report. PBGC reexamined its privacy program with the\nstated intention of making PBGC a model for handling sensitive information and surveyed other\nfederal agencies to identify best practices. The Privacy Office then developed and implemented\nkey guidance, including detailed recordkeeping instructions and a requirement that all incidents\ninvolving personally identifiable information be reported to US-CERT within one hour of\ndiscovery. The guidance was widely disseminated via email to all PBGC employees and\ncontractors with PBGC email accounts, as well as to the contract service providers that handle or\naccess personally identifiable information at contractor facilities. PBGC followed up by giving\nin-person training on privacy protection standards and reporting requirements to those PBGC\nemployees and contractors (e.g., staff at Field Benefit Administration sites) who frequently\nhandle sensitive information.\nEarlier this fall, we reviewed PBGC\xe2\x80\x99s corrective actions related to PBGC\xe2\x80\x99s privacy program.\nOur testing showed that our recommendations in this important area had been effectively\nimplemented. The Corporation\xe2\x80\x99s positive reaction to OIG\xe2\x80\x99s findings increased the likelihood\nthat PBGC will be able to properly protect the personally identifiable information and other\nsensitive data with which it has been entrusted.\n\nPBGC initiated actions to protect its securities on loan to other investors.\nSecurities lending is a small but important component of PBGC\xe2\x80\x99s overall investment program\nand is intended to obtain incremental investment return. As of September 30, 2010, PBGC had\nabout $21 billion in securities available for lending; of this amount, about $5.7 billion in\nsecurities was actually on loan. OIG\xe2\x80\x99s review of PBGC\xe2\x80\x99s Securities Lending Program disclosed\nthe general absence of written guidance at all levels and little documentation of the procedures\nused to implement, monitor, and oversee the program. Further, we reported that PBGC was\nunable to independently validate that the gross and net revenues earned through the program\nwere correctly calculated by the bank with custody of PBGC\xe2\x80\x99s loaned assets. Upon issuance of\nour report, representatives of the PBGC Board of Directors and PBGC leadership responded\npromptly and corrective actions were initiated.\n\nPBGC is making progress in the implementation of the sixteen recommendations included in\nOIG\xe2\x80\x99s report. For example, PBGC has developed and is testing a method to validate the amount\nof revenue earned through securities lending. That is, PBGC will soon be capable of \xe2\x80\x9cchecking\xe2\x80\x9d\nthe calculations of its custodian to ensure the Corporation receives the full amount of earnings to\nwhich it is entitled. Reducing PBGC\xe2\x80\x99s dependence on the custodial bank is an important step.\nFurther, PBGC is in the process of implementing a number of internal controls intended to\n\n                                                                                                   3\n\x0cprovide effective oversight and monitoring of the securities lending program. OIG continues to\nwork diligently to support PBGC in its ongoing efforts to develop needed controls over this\ncomplex investment practice.\n\nAt the time of our review, written policies regarding the securities lending program were\nvirtually non-existent. PBGC has begun the arduous process of drafting written policy guidance\nregarding the establishment, investment objectives, risk tolerance, and measurement standards\nand operations of the securities lending program. We have worked closely with PBGC,\nreviewing several iterations of PBGC\xe2\x80\x99s draft documents and offering suggestions and edits.\nBecause the PBGC Board has the authority and responsibility for establishing and overseeing the\ninvestment policy and its implementation, the securities lending guidelines proposed in our\nreport should be submitted to the Board and Board Representatives for review. Our\nrecommendations for guidance will not be considered complete until this has been done.\n\nPBGC is working toward protection of the Corporation\xe2\x80\x99s ability to carry out its mission\nthrough the use of information technology.\n\nOIG has focused much of its recent audit work on the serious weaknesses in PBGC\xe2\x80\x99s\ninformation technology practices that pose increasing and substantial risks to PBGC\xe2\x80\x99s ability to\ncarry out its mission. For the past two years, PBGC\xe2\x80\x99s annual financial statements audit included\nan adverse opinion on internal control, based in part on systemic information technology security\ncontrol weaknesses. A report on PBGC compliance with the Federal Information Security\nManagement Act described PBGC\xe2\x80\x99s information systems as \xe2\x80\x9ca series of stovepipe solutions built\nupon unplanned and poorly integrated heterogeneous technologies with varying levels of\nobsolescence.\xe2\x80\x9d\n\nThe operations of PBGC are heavily dependent on information technology. During the summer\nof 2008, shortly after I became Inspector General at PBGC, I learned that PBGC frequently\ndismissed OIG\xe2\x80\x99s concerns about information security. The auditors and investigators in my\noffice worked hard to demonstrate the need to enhance attention to this crucial area. In the fall of\n2009, we gave PBGC senior leadership a restricted disclosure presentation on the results of\npenetration testing conducted to discover weaknesses and to exploit discovered vulnerabilities.\nAfter our presentation, new leadership was assigned to enhance PBGC\xe2\x80\x99s security posture and to\ndevelop a long-term corrective action plan to address long-standing issues. Importantly, PBGC\ncommitted to build and manage security controls to an appropriate National Institute of\nStandards and Technology (NIST) standard. Further, PBGC made the decision to enter into an\ninteragency agreement with the Bureau of Public Debt to leverage its expertise in security\ncontrol. PBGC is beginning to actively address serious information technology issues and the\nsubstantial risks they pose for PBGC\xe2\x80\x99s ability to carry out its mission.\n\nThe Corporation has embarked on a coherent approach to resolving and correcting fundamental\ninformation technology weaknesses. PBGC has developed and is implementing multi-year\ncorrective action plans to address security issues at the root cause level. The corrective action\nplans are an important first step that reflects the priority that PBGC leadership places on this\ncritical issue. However, PBGC\xe2\x80\x99s realistic assessment is that a timeframe of between three and\n\n\n                                                                                                    4\n\x0cfive years is needed to achieve the objectives of the PBGC\xe2\x80\x99s plans. According to PBGC\xe2\x80\x99s\nschedule, corrective action for many of OIG\xe2\x80\x99s recommendations will not be complete until 2015.\nCurrent PBGC leadership has been straightforward in acknowledging the challenges it faces in\nrevitalizing PBGC\xe2\x80\x99s information technology processes. Implementing the corrective action\nplans will be difficult and time-consuming. Some of PBGC\xe2\x80\x99s challenges, like the continuous\nstream of new and ever-changing federal requirements, are shared by all federal entities. Others\nare unique to PBGC. For example, PBGC still has an acting Chief Information Officer, PBGC\nsystem security expertise is still maturing, and trust-building is still a work-in-process for the\noffice that manages PBGC\xe2\x80\x99s information technology. Strong leadership and effective, persistent\noversight, from within the organization as well as from the outside, will be needed if PBGC is to\nensure the security of the information technology systems that support the PBGC mission.\n\nPBGC must ensure the integrity of the contracting process.\nPBGC relies heavily on the services of contractors to carry out its operations, a factor that makes\nprocurement and contracting a significant PBGC activity. PBGC reports spending about two-\nthirds of its annual operating budget through contracts. Historically, nearly two of every three\npeople who do the work of PBGC are contract employees, as shown by the following table.\nThus, ensuring that contractors provide the goods and services for which they are paid is critical\nto PBGC\xe2\x80\x99s ability to meet its mission.\n\n                                     2000\n                                                                                              1768\n                                     1800\n                                                                                     1639\n                                     1600\n          Number of PBGC Employees\n\n\n\n\n                                                                                                      1502\n                                                                   1342    1331                                1365\n                                     1400\n                                                          1248\n                                     1200\n\n                                     1000           919                                                      865\n                                              791 775                     776               822      811\n                                          763           773      754              784\n                                      800\n\n                                      600\n\n                                      400\n\n                                      200\n     Federal   0\n     Employees                              2000   2001   2002    2003     2004   2005       2006     2007    2009\n     Contract                                                          Fiscal Year\n     Employees\n\nOIG continues to devote a significant portion of its resources to audits, investigations, and\nreviews of PBGC\xe2\x80\x99s procurement and contracting activities. Forty-three open audit\nrecommendations relate to PBGC\xe2\x80\x99s contracting practices; some have remained open for more\nthan five years without effective resolution. Many of the most critical issues we are currently\n\n                                                                                                                      5\n\x0caddressing have been caused or exacerbated by poor contract management. Our ongoing\nmonitoring also shows a continued need for close management attention in this area.\n\nWhile PBGC places tremendous reliance on its contractors, the Corporation has experienced\nserious and costly problems with the quality and utility of some of the contract deliverables for\nwhich it paid. Many of these issues could have been avoided through effective contract\nmanagement, including careful contract monitoring, acceptance of deliverables, and evaluation\nof contractor performance. PBGC senior leadership also needs to reinforce the idea that\nallowing a contractor to provide a deliverable of a lesser quality than called for in a contract\nconstitutes a form of waste or abuse, if not outright fraud.\n\nPBGC has recently committed to taking a number of important actions to improve the\neffectiveness of its contracting activities. For example:\n\n       Our ongoing reviews of two of the largest single-employer program claims in PBGC\xe2\x80\x99s\n       history show that a PBGC contractor did not exercise due professional care in performing\n       audits of plan assets and of plan participant information. PBGC\xe2\x80\x99s oversight of the\n       contractor was ineffective in identifying obvious and material errors and omissions in the\n       work. To its credit, PBGC leadership is taking action to address the issues, including:\n       (1) contracting for a Certified Public Accounting (CPA) firm to re-perform the work\n       related to these two plan sponsors\xe2\x80\x99 pension plans; (2) developing a plan for how\n       contractor work will be monitored, evaluated, and accepted; and (3) reviewing plan asset\n       evaluations completed over the last two years, with the objective of using identified\n       deficiencies to train reviewers and staff and to update procedures.\n\n       In response to our audit recommendations, PBGC developed a set of Standard Operating\n       Procedures (SOP) to guide procurement activities and establish basic internal controls\n       over the contracting process. Based on our review of the document, the SOPs form a\n       useful \xe2\x80\x9cfirst step\xe2\x80\x9d toward improving procurement effectiveness. However, PBGC\n       leadership needs to develop a method to determine the degree to which those with\n       responsibility for contracting are complying with the new procedures and to make any\n       necessary corrections or adjustments as needed.\n\n       During the course of a recent evaluation, we became aware of a reduction in the\n       minimum qualifications for contract staff at some of PBGC\xe2\x80\x99s remote sites. There was no\n       indication that PBGC sought reduced rates when staff with lesser qualifications were\n       provided or that PBGC confirmed the contractors\xe2\x80\x99 assertions that fully qualified staff\n       could not be retained. Based on our discussions with PBGC management, the\n       Corporation solicited a contractor to provide a thorough and objective assessment of\n       PBGC practices associated with the acquisition, planning and contract administration for\n       the remote site contracts. The resulting report, issued on October 29, 2010, confirmed our\n       initial observations and made fourteen recommendations for improvement in PBGC\xe2\x80\x99s\n       contract modification process. PBGC leadership has committed to implementing the\n       report\xe2\x80\x99s recommendations.\n\n\n\n\n                                                                                                    6\n\x0c       OIG has repeatedly expressed the need for PBGC to be more vigilant about the integrity\n       and effectiveness of its contracting processes. A special team led by the Chief Financial\n       Officer and the General Counsel was established to assist the Procurement Department in\n       responding to open audit recommendations and in enhancing PBGC\xe2\x80\x99s ability to contract\n       effectively and in compliance with relevant guidance. As a result, many long-standing\n       recommendations have been closed and others are nearing completion. Additionally,\n       plans have been made to review the actions of the contracting officer\xe2\x80\x99s technical\n       representatives and the technical monitors who provide day-to-day monitoring and\n       supervision of PBGC\xe2\x80\x99s contractors. PBGC leadership should ensure that these reviews\n       are carried out carefully and that necessary corrective actions are taken if the reviews\n       show a lack of compliance with established contracting practices.\n\nPBGC should prepare strategically for the possibility of a workload surge.\n\nIn response to a request from the Chairman of the Senate Special Committee on Aging, OIG\nreviewed PBGC\xe2\x80\x99s planning efforts to strategically prepare for the potential influx of pension\nplans. In our report, issued last month, we explained our conclusion that PBGC needs to develop\nspecific strategies and tactics to be used in the event of a serious workload surge.\n\nThe recent global economic downturn caused financial hardships for many businesses in a\nnumber of different sectors, which directly impact PBGC\xe2\x80\x99s operations and forecasting. The risk\nof numerous pension plans simultaneously terminating could cause a domino effect requiring\nPBGC to assume a large number of participants in a short period of time. Conversely, if the\neconomy is strong, PBGC may only assume twenty or forty thousand participants in a given year\n(see the chart below).\n\n\n\n 300,000\n                Participants Trusteed by Fiscal Year\n                                                265,238\n 250,000\n                                   197,779                                200,897\n 200,000                     179,403\n                                          139,342\n 150,000\n\n                       90,960                                                   99,000\n 100,000\n           55,573                                               58,434\n                                                       44,708\n  50,000         27,192                                              21,171\n\n      -\n            1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010\n                                   Fiscal Year\n\n\n                                                                                               7\n\x0cThe number of plans that PBGC assumes on a year-to-year basis fluctuates based on numerous\nfactors, mainly the economic strength of the country. PBGC experienced an influx of pension\nplans from FY 2002-2005, when PBGC became responsible for paying more than 700,000\nparticipants from plans that were terminated and trusteed, primarily from the airline and steel\nindustries (see the chart below). PBGC is experiencing one of the busiest periods in its history.\nIn FY 2009, PBGC terminated and trusteed 129 plans with more than 200,000 participants.\nDuring FY 2010, PBGC assumed responsibility for 99,000 additional workers and retirees in 163\nfailed plans.\n\n\n\n                  Plans Trusteed by PBGC by Fiscal Year\n    200\n                                           178\n    180\n                                                                                  163\n    160                              152\n           134                144                 138\n    140                                                                     129\n                                                               115\n    120                 103\n                  99\n    100\n                                                         86\n     80                                                               74\n\n     60\n     40\n     20\n      0\n          1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010\n                                     Fiscal Year\n\nThe Government Accountability Office (GAO) lists PBGC on its High Risk list, in part, because\nPBGC continues to be \xe2\x80\x9cexposed to the threat of terminations of large underfunded pension plans\nsponsored by financially weak firms.\xe2\x80\x9d PBGC acknowledged in its FY 2010 Annual Report\nissued last month that no reasonable estimate could be made of 2011 terminations.\n\nThe future is difficult to predict. The uncertainty about 2011 termination, when considered\ntogether with the exposure noted by GAO, provides sufficient reason for PBGC to expand and\nenhance its planning for possible workload surges.\n\nTo date, the Corporation has generally kept its planning activities simplistic and linear. PBGC\nexecutive leadership explained their belief that a \xe2\x80\x9cplaybook\xe2\x80\x9d approach, explicitly detailing the\nsteps to be taken, was impractical. To their view, because a workload surge could take many\nvaried and unpredictable forms, the only practical option was reliance on the Corporation\xe2\x80\x99s\n\n                                                                                                   8\n\x0cability to develop and implement an \xe2\x80\x9cad hoc\xe2\x80\x9d approach, in the event that a workload surge\nmaterialized. Based on our review, we identified a number of specific activities the Corporation\ncould take to enhance its readiness in the event of a workload surge. These activities could be\nbest implemented as part of an overall strategic plan, an approach that we consider to be a best\npractice. However, even in the absence of a comprehensive Workload Surge Strategy Plan,\nimplementing the recommendations in our report would help position the Corporation to deal\nwith a significant workload surge.\n\nThe Chief Operating Officer responded to our report, noting PBGC\xe2\x80\x99s conclusion that the risk of a\nlarge influx of plans is much lower now than anticipated in FY 2009. Further, his response stated\nmanagement\xe2\x80\x99s belief that the resources needed to address the report\xe2\x80\x99s recommendations would\nbe better used in other higher priority areas. Accordingly, instead of implementing OIG\xe2\x80\x99s\nrecommendations as written, PBGC proposed the creation of a Large Influx Working Group\n(LIWG) Planning Document as a basis for alternative actions to address the recommendations.\nWe will need to review the planning document PBGC proposes to draft before we can determine\nwhether PBGC\xe2\x80\x99s proposed approach adequately addresses the report\xe2\x80\x99s findings.\n\nCONCLUSION\n\nWe recognize PBGC\xe2\x80\x99s progress in addressing numerous high priority areas and support its\nefforts to address our related recommendations. Considering the organization-wide impact of the\ninformation technology security issues and the weaknesses in contracting practices, PBGC\nleadership and those with oversight responsibility should target their oversight efforts on the\neffective execution of the corrective action plans that have been developed. Additionally, for\ncritical weaknesses that cannot be addressed in the near future, interim measures should be\ndeveloped and adopted to minimize the associated risks. OIG will continue our monitoring\nactivities until PBGC demonstrates that it has been fully responsive to our recommendations. In\naddition, we plan future audit work in the areas of highest risk to validate the effectiveness of\nPBGC corrective actions.\n\nMr. Chairman, that concludes my remarks. I would be happy to answer any questions that you\nor other members of the committee may have.\n\n\n\n\n                                                                                                   9\n\x0c'